~ Strathmore University Centre for Intellectual Property and Information Technology Law (CIPIT)

Need for Policy and Legal Framework for ICT Critical Infrastructure

Critical Infrastructure (CI) comprises essential services such as electricity, water, transportation, telecommunications, commerce and health. The convergence of networks and information systems now means that the provisioning of these services substantially relies on the seamless operation of Information and Communication Technologies (ICTs). These ICT-related Critical Infrastructure include telecommunications networks, the Internet, terrestrial and satellite wireless networks. While all national infrastructure is at risk from damage or destruction by natural or manmade events, damage to CI could have negative consequences for national security, the economy, or the well-being of citizens.

It is for this reason that the Cabinet Secretaries of the Ministries of Transport and Infrastructure, Energy and Petroleum, Information, Communications and Technology came together and resolved to form a Taskforce to draft a policy and legislative framework for the protection of CI in the country. It is hoped that a robust CI policy and legislative framework will bring the losses incurred through damage to infrastructure to below Ksh.500 million in the next three years from the current Ksh. 1.5 billion to Ksh.2 billion annually.

It is submitted that there is need to also address risks posed to infrastructure by cyber attacks in addition to attacks from conventional sources. In this regard, there is a substantive difference between the traditional realm, where kinetic attacks require a physical proximity and which are generally easily attributed, and cyber attacks, where neither of these factors are necessarily present. The growing sophistication and apparent proliferation of cyber attacks on infrastructure means that this cannot be ignored.

This fact has been appreciated in neighbouring Nigeria in their new Cybercrime Act signed into law in May last year. The Act stipulates that henceforth, any crime or injury on critical national information infrastructure including unlawful access to computer systems, Cyber-Terrorism, among others, would be punishable by law. The Act lists offenses and penalties including unlawful access to computers, unlawful operation of cybercafes, system interference, intercepting electronic messages, emails, e-money transfer, tampering with critical infrastructure, and computer-related forgery, among others, as offenses that are punishable under the Act. Theft of electronic devices, electronic signatures and related offences are also punishable under the Act.

In the Kenyan context, the ICT Authority notes that:

Currently the deployment, maintenance and protection of these Critical Infrastructures are done in an independent and uncoordinated manner leading to disruption of essential services and losses due to accidental damage. Most of these ICT services are implemented and managed by private sector players. There is need to consider having a whole inclusive approach in the planning, designing and implementation of the critical infrastructure so that ICT sub components become part of it.

In light of the above, it is important that process of making and implementing policies and laws relating to CI is inter-ministerial in nature and inclusive of all interested parties and stakeholders.

As a result, the Taskforce on formulation of the CI Bill is therefore requesting the public to submit written memoranda via its email to: critical@icta.go.ke.